The opengroup specfication is a very good document to common technical approaches like ~ usage(home/user), shell, $ variabels parameters usage, scripting , exit staus

They all share the same fundamentals of:

users (id-s) , groups (gid-s) as numbers

files and directory Discretionary access control (DAC)

With all Unix security (wiki)
information you can build a secure environment at this Unix host-level.

Unix users/groups

Users id

The User administration is by default local on the machine. All keys are identified by the system on numbers id User identifier
Natural names are just shown if the administration contains a name for that number.
The key named &quotroot&quot gets number 0. All access to the system is open for this key. The User and group administration is done with &quotroot&quot.
Everyone is able to view user and group information on the system. Passwords are (if hardennig done well) in hash available to root-level access.

In an operational system The responsibility to maintain users/groups is moved tot LDAP (or something like BOKS).

Groups gid

The User administration is by default local on the machine. All keys are identified by the system on numbers. gid Group identifier .

id gid information

User information is somentimes available by &quot"lsuser (Aix)&quot. Administration files are open.

grep username /etc/passwd
grep username /etc/groups

Group information is sometimes available by &quot"lsgroup(Aix)&quot. Administration file is open.

grep ^staff: /etc/group

User settings: rlogin login su

These are user settings getting much attention in hardening unix .
Search IBM (aix): aix 61 cmds chuser
Normal switch users is su usage. Login as command can also have the switch user function. linux about - login
Traceablity is not as good as sometimes required. su wiki

rlogin is remote access between Unix-systems. This method is seen as unsafe (no encrypted password usage). Shoul be set to &quotfalse&quot. See: rlogin wiki

The login (command and user attribute) is the normal access to Unix-systems using a terminal. It is using the shell typing commands. It is like old PC-DOS age.
unix shell wiki

User settings: RedHat (fedora)

setuid setgid, (Posix)

The Posix standard is describing the setuid fucntionality
009695399/functions/setuid If the process has appropriate privileges, setuid() shall set the real user ID, effective user ID, and the saved set-user-ID of the calling process to uid.
The rationale is describing the why and how from design view. Not wanting the use the superuser (root) to be used.
With Linux the Posix guideline is followed
Setuid Demystified Hao Chen David Wagner(University of California at Berkeley), Drew Dean(SRI international). Remark: OpenSSH contains many setuid calls.
Out of the list from: Proceedings of the 11th USENIX Security Symposium, pages 171--190, San Francisco, CA, August 2002.

nosshd

How to control the terminal access uasage with Unix &quot Secure SHell Demon&quot sshd is a basic question.
The trick, config file: /etc/ssh/sshd_config
At au-ssh_restrict (IBM) and
sshd_config linuxhowtos are some hits. The simple way of managing is becoming clear.
Optional configuration statements are: ALLOWUSERS / ALLOWGROUPS / DENYUSERS / DENYGROUPS.
Defining a membership to a group denying ssh wil prohibit ssh access.

In this way the sshd (terminal) can be limited to al list of groups or users. Notice this part of security is just a config-file.

su - sudo

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user (normally the superuser, or root).[3]
Its name is a concatenation of the su command (which grants the user a shell of another user, normally the superuser) and "do", or take action.

In some cases sudo has completely supplanted the superuser login for administrative tasks, most notably in Linux distributions, such as Fedora and Ubuntu, as well as Apple's Mac OS X.

sudo license at the official sudo home site. (Todd C. Miller)
All information is available.

op operator access

boks

Boks FoxT ServerControl wiki is adding keystroke logging. FoxT website.
Has a from sudo different command to switch uiser context. Propagates All keys/passwords to the local machine.
The advantages to direct LDAP are clear.
The disadvantages:

To make life easier with alle levels and naming conventions a &quotlink&quot Symbolic_link (wiki) can be used.
The target file and directory are security still under full control of the OS. Even the complete path is checked, no way to escape these checks when build in correctly.

chown change owner, restricted to used by root-key. Chgrp change group unrestricted command. Requres membership of the new group.

nohup

The Nohup option to start processes make it possible to start new processes and keep them running after a terminal logoff.

NSF , Unix shares

The nfs-security-trusted-untrusted-environments_1956 (sans)
It was designed to be simple and efficient, not to be secure ...
It states that sharing data in Linux (Unix like) systems by NSF has risks. This is not expected as the way with using Microsoft Server with sharing is common usage and stated as safe.
Within secure datacenters the risks should be acceptable.

The 9.5 Securing NFS s1-nfs-security (redhat)
NFSv4 includes ACL support based on the Microsoft Windows NT model, not the POSIX model, because of its features and because it is widely deployed.

Samba, Unix to others shares

wiki.xbmc.org: smb CIFS Samba SMB/SAMBA/CIFS sharing has many advantages over the other options, ...

samba.org Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments using the winbind daemon.

X11 graphical , X-server - Mouse - call out

X11 is X Windows System (wiki). The X.org X was designed to be used over a network... Due to the ubiquity of support for X software on Unix, Linux and Mac OS X, X is commonly used to run client applications on personal computers even when there is no need for time-sharing. is built as an additional (application) abstraction layer on top of the operating system kernel

Usage of X11 with server-access is not common practice. You need a X-server program on your desktop-client. The X11 protocol is started from the host using a more typewriter mode terminal.
It also implies of coding the ip-adress of the desktop at the server-side. Wanting to secure your desktop to incoming calls you would register the server ip-adresses.
There is no way of registrating desktops ip-s at hte server-side.

notes:

The state of kenral graphics support jonsmirl/graphics (2005), why renewal x11, opengl is that difficult.

Unix security limitations

etc/passwd hash shadow- 8 chars limit

Amazingly Unix is very limited with passwords. Just the eight (8) characters are normally used. The longer string-part is ignored. Jumpin into this subject:
blog anthonyrthompson &nbsp
user techdocs
The old crypt() routine is till used in compatiblity reasons. A DES algoritmen limiting the hasing. The number of chars is limited from all 256 code to about 52 (digits upper and lowe case chars).
Easy to crack/hack with no additional measures. Even worse is: to get confronted this subject with unexpected behavior. Wondering why something is reacting that way in using machines.

The hash-code and the shadowfile are key elements in protecting the systems integrity
Additonal: Do not usage the standard key of the default isntallation and never ... never .. the standard key-pswd of the default installation.
As time is the major factor. Delay in the login attempts and waringing systems is the best way of defence.
Straight locking out keys can have serious impact. They can be the running service knocking down. In that case a DOS (Denial OF Service) attach is not necessary by the attacker.
This chage of policy can be found at the SANS institute site.

maximum number of groups/key

One unexpected limitation is the maximum number of groups/key (ngroups_max limits.h )
It is changing in different Unix versions but also NFS is affected. It looks like newer systems are eliminating this limitation.

not getting updated groups

Running processes in Unix are noet getting updated with new group rights when they are deleted or added.
Can be a pitfall whe trying to change to new requirements. You have to restart the service to get it active.

It wil become a serious problem when running for months, a restart is needed an then discovering somewhere in time security groups have been changed without notification.
And not ablw to restart the services again because some rights (groups) are needed.

Access Control Model

The security systems in Windows 2000 are based on technologies originally developed for Windows NT.
The Access Control Model is based on:

User-based authorization

Discretionary access to securable objects

Inheritance of permissions

Auditing of system events

Windows Security

Although more Windows versions exists, just one company is responsible, Microsoft.

A lot of Unix and other techniques are as common knowledge or by regulations the same.

Windows users/groups

Admin accounts

The security of Windows is advanced.
Don&acutet expect an Admin-account to be a Admin-account when used by a spawner
very process in Windows has some dedicated limitations. The local service account can&acutet create admins accounts rights. (elevation)

Windows has many different master accounts; domain-admin, local-admin service-account, ...
They are set up for differenr purposes and have different rights. This has far more evoluated then Unix.

old xp Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM System error: Lsass.exe When trying to update a password the return status indicates that the value provided as the current password is not correct. kb 307545 How to recover from a corrupted registry that prevents Windows XP from starting

Every key get a terrible number. The long numbers are domain based. Look for the human recognizable names

Register to be cleaned of unwanted (long numbers) related names

c:\users\ (names) to be cleaned

ff458273 What&acutes New in Folder Redirection and User Profiles (win-7)

Firewall

Is present on the machine as introduced with XP. Knowledge is not very common shared.

cc754986 After you have identified your requirements, and have the information about the network layout and computers available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the computers. cc771920 Netsh Commands for Windows Firewall with Advanced Security kb/947709 How to use the "netsh advfirewall firewall" context instead of the "netsh firewall" context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista

cc771920 The firewall has nested settings enable. Firewall rules defined by the local administrator are merged with firewall rules from GPOs and are applied to the computer. ook de stores zijn genest)

cc749242 Common Troubleshooting Situations using Windows Firewall with Advanced Security

Local
This name is loop-back definition within TCP/IP. The name resolver should find it.
Instead a firewall pop-up was popping-up.
Still searching the cause of this behavior
kb 307545 &nbsp

Windows DAC &amp AD

takeown icacls robocopy

With DACL-s are it is possible to implement a very detailed secuyrity scheme.
Don&acutet expect these tools to be suppported. In reducing the complextity of security, the network access is ofte set back to the basic share security.
Still you need this. There is much overlapping in files at the windows(desktop) eg with SAS.

icacls.exe and takeown.exe are present at Windows-7 home installations.

logical link

The concept of logical link was missing in Windows. In Windows7 it is there: mklink &nbsp

Encrypted File System

How EFS Works EFS uses public key encryption in conjunction with symmetric key encryption to provide confidentiality for files that resists all but the most sophisticated methods of attack.
The file encryption key (FEK) — a symmetric bulk encryption key — is used to encrypt the file and is then itself encrypted by using the public key taken from the user's certificate, which is located in the user's profile. The encrypted FEK is stored with the encrypted file and is unique to it. To decrypt the FEK, EFS uses the encryptor's private key which only the file encryptor has.

Unix Posix in Windows

Windows (DOS) has copied much from Unix. Many small diffences that looked to be working away. The slashes / and \ are exchanged, but internet ia forcing the / as standard. md and mkdir are logical equal and with Win7 mkdir also is correct.
posix command with win7 does not exist at my installation

Because programs control the policy for creating files in Windows, files sometimes are created by using names that are not valid or reserved names, such as LPT1 or PRN. This article describes how to delete such files by using the standard user interface. NOTE: POSIX commands are case sensitive. Drives and folders are referenced differently than in MS-DOS. Windows 2000 and later POSIX commands must use the following usage syntax:
posix /c [] IE: posix /c c:\rm.exe -d AUX.

SAM Software Asset Management

License management is something different as security: SAM Micorosoft
Implementing SAM protects your software investments and helps you recognize what you have, where it's running, and if your organization is using your assets efficiently.

Windows security limitations

.Net Caspol manifest file

These are advanced and very disturbing approaches. The standard AD security is replaced with a new security mechanisme with new administration.
As not expected to have som effects normally ingored. .Net security is designed for web-access. The local machine is defined to be open. Local intranet is teh samen as networked file-shares and is setup to be closed.
Moving a program form local drive to networked drive is effected by thase policies.

Note:
In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers.
Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy.
The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later.
For more information about this and other changes, see Security Changes in the .NET Framework 4.

PKI, Token, ACL

GUID UID

PHP is commonly used together with apache (webserver) and Mysql (database)
It has the same issues as all tools installing on an OS.

GUID The term GUID typically refers to various implementations of the universally unique identifier (UUID) standard. UUID A universally unique identifier (UUID) is an identifier standard used in software construction, standardized by the Open Software Foundation (OSF) as part of the Distributed Computing Environment (DCE).
The intent of UUIDs is to enable distributed systems to uniquely identify information without significant central coordination PHP filessytem security

Generic apporaches

Backdoor

Harmless code (eastern eggs) also as
Backdoor (wiki) is just funny
The Rootkit (wiki) is the ulitmate goal of a cracked system.
The technical implementation is the same. How can you predict the funny message is harmless?

Unix Security

change password failures

One of the most threatening is involved with wrong or incorrected changes. How do you know sure the new situation is safe? Al lot of technical documentation can be found.

Changing passx routines Aix newpassx IBM
Why searched for this? Changed new situation does not work. Found new version checks if login-date is filled and max-age an minage not zero the new password required.
The old situaton did not check everything (security exploit) and new sitaution did not synchronize settings correct (max-age - minage).

Found like a needle in a haystack. It was hurting. Any more security exploits?

Generic policies & links

Password

Cracking/hacking passwords can be easy, use secre/ admin/admin. There are many password policies to make it more difficult to guess.
knowing the hash-code and the algoritme, or a way to check, every password can be cracked. It is a matter of time.
Some links: cracking passwords (geodsoft)
garykessler pam_cracklib (deer-run)

not validating input

getting out of service

DDOS Distributed_denial-of-service (wiki) In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.
Blocking service accounts Code_injection (wiki) abuse to run code.